- From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
- Date: Mon, 08 Jun 2020 09:05:47 +0000
- To: public-webauthn@w3.org
The original approach (https://www.w3.org/TR/webauthn/#sctn-simple-txauth-extension): a) allowed the RP to provide any transactionText (having the expectation it would include something like "Transfer $1000 from account 987654321 to account 123456789". b) expected the authenticator to display that transactionText and c) only generate the resulting signed assertion (including the hash of the transactionText) if the user (i) agreed to the transaction and (ii) could provide the gesture (e.g. use correct finger to touch the sensor). The hash of the transactionText is included in an extension that is added/controlled by the authenticator. The new idea, would also allow some privileged software to display the transactionText - expecting that the the assertion would allow the RP (=verifier) to understand whether the Authenticator displayed it (hash of transactionText included in extension) or the privileged software did (e.g. add hash of transaction Text to collectedClientData or to the same extension but setting a specific flag that privileged software displayed it). With this approach we would extend the reach as FIDO authenticators without a display could be used as well. The use of authenticators with display is still possible and even allows scalable security (e.g. using TrustedUI as it is done by Android Protected confirmation). However, on today's mobile devices, malicious apps cannot easily "infect" other apps or the browser. Both approaches protect against JS code injection, e.g. through infected ads or ad providers or otherwise altered contents that was loaded via one of the typically many external script sources that are included in web pages. -- GitHub Notification of comment by rlin1 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1396#issuecomment-640473034 using your GitHub account
Received on Monday, 8 June 2020 09:05:49 UTC